[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Password expiration/aging?


I am doing some experimenting with password expiration and found that
not much is working in Heimdal.

- When I set the password expiration time by hand to a time before now
	kadmin> mod --pw-expiration-time=2006-08-16 vanilla
	kadmin> list -l vanilla
	               Principal: vanilla@SLAC.STANFORD.EDU
	       Principal expires: never
	        Password expires: 2006-08-16 23:59:59 UTC
  I cannot get a TGT - which is good - but I also cannot change the
	% kinit vanilla
	vanilla@SLAC.STANFORD.EDU's Password:
	kinit: krb5_get_init_creds: Password has expired
	% password vanilla
	vanilla@SLAC.STANFORD.EDU's Password:
	password: krb5_get_init_creds: Password has expired

  Should I not be able to change the password in this situation?

  What's even worse is that if I do a kinit with a _wrong_ password,
  I still get a "Password has expired" message which leaks information
  about our accounts out to just about anybody.

- Another thing I tried is to set the "requires-pw-change" attribute
  of an account
	kadmin> mod --attributes=requires-pw-change vanilla
  But the KDC does not even store this attribute change. A
  "kadmin list -l vanilla" shows an empty "Attributes" list.

So, is there anything in Heimdal that makes password expiration/aging

Many thanks,

  Alf Wachsmann                       | e-mail: alfw@slac.stanford.edu
  SLAC - Scientific Computing         | Phone:  +1-650-926-4802
  2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
  Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
                http://www.slac.stanford.edu/~alfw (PGP)